ScreditCrunch

I learnt two surprising and potentially dangerous things today. MobileMe’s webmail and Apple’s iDisk are not encrypted. Discussion of this available here and here.

While I can understand that the argument for email encryption is not that obvious, emails being inherently insecure for many cases, I am surprised and disappointed about the lack of SSL encryption for iDisks. This is especially surprising because if you mount an iDisk on Windows you can do so with SSL encryption and it works fine. Even more worrying is that backup data using Apple’s Backup software is also not encrypted. Now, I don’t tend to store anything of sensitive nature on my iDisk anyway, but I am positive this would catch a good number of people off guard who just expect it to be doing the right thing. Many Macs generally will also be synchronising their iDisks automatically so you could easily be transferring data over an insecure open WLAN the minute you connect to it.

This is doubly troubling because Apple does not actually warn users about this and I am certain many live with the warm cosy feeling that “Macs don’t have security problems”. Apple’s semi-official stance seems to be to use an encrypted disk image on iDisk if you want to pass around sensitive data, which I have yet to experiment with. However I can’t imagine why it would be difficult to use SSL for iDisks or allow the user to turn it on as an option. Finder could even verify certificates automatically and refuse to work if there’s a mismatch (thus removing the possibility of the user accepting a bad certificate).

Something for the Mac users out there to be aware of.